The Vilkas Wire

Why Default Credentials Are Still One of the Biggest Cybersecurity Risks (and How to Eliminate Them)

Aug 14, 2025 · By Ben Rollin

Field NotesPentestDefender Tips

When most people picture a cyberattack, they imagine sophisticated exploits, zero-day vulnerabilities, or advanced nation-state tools. But the starting point is often much simpler in penetration tests and real-world breaches: a default username and password.

Default credentials, the vendor-supplied logins like admin:admin or root:calvin, remain among today's most overlooked yet impactful security gaps. They’re so simple that they often don’t get the attention they deserve, and that’s precisely why they keep showing up in attack chains, both in our team's penetration tests and real-world breaches.

Default Credentials in the Wild

Even in 2024–2025, high-profile, newsworthy breaches continue to occur due to a preventable issue: default or built-in credentials.

McDonald’s AI Hiring Bot (Paradox.ai “Olivia”)

An administrator account was set with the credential pair 123456:123456, exposing the details of 64 million applicants across various regions.

National Public Data / RecordsCheck.net Breach

A publicly accessible zip archive revealed plaintext admin credentials, possibly default or reused, enabling intruders to steal 2.9 billion records of U.S. Social Security Numbers.
Unitronics PLC Attacks on Critical Infrastructure

By compromising PLCs secured with default or no passwords, attackers accessed U.S. water treatment systems and caused disruptions.

Each of these cases demonstrates that default credentials present real, active threats enabling massive compromise, exposure, and exploitation that can have devastating effects.

Default Credentials: A Persistent Problem

Unchanged passwords are dangerous, and not just attackers and penetration testers are pointing this out. Recent research and government warnings show that the problem is widespread.

Public Awareness (or Lack of It)

In 2024, Broadband Genie released its third Router Security Survey, polling more than 3,000 users. The findings were sobering:

Most people still have not changed their home routers' default settings or passwords.
This echoed similar surveys from 2018 and 2022, showing little improvement over six years.
In other words, millions of devices are still shipped, plugged in, and left wide open to anyone who knows the manufacturer’s defaults. Though this focused on individual users, these types of issues often spill over into corporate environments due to a lack of awareness around changing defaults.

(Source: Broadband Genie Router Security Survey 2024)

Policy Guidance Isn’t Enough

The issue is so significant that in late 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert urging technology manufacturers to eliminate default passwords altogether. The guidance encouraged vendors to require unique credentials or password changes during the first setup.

Yet here we are in 2025, and default logins remain a common entry point in real-world breaches. Despite clear government warnings, many products still ship with admin:admin or similar weak defaults.

(Source: CISA Alert: Eliminating Default Passwords)

Why it matters: The combination of consumer inaction and vendor negligence keeps default credentials alive, and attackers know it. Even with growing awareness and formal advisories, the basics remain overlooked.

Why Default Credentials Persist

If the risks are obvious, why do we continue to encounter this issue?

Speed over security: Teams push new systems online quickly, promising to “fix it later.” More often than not, later never comes.
False sense of isolation: Admins assume that if something sits “behind the firewall,” it’s safe. That logic collapses once an attacker gains any internal foothold.
Shadow IT and forgotten assets: Development servers, test appliances, or untracked devices bypass IT oversight and are left unsecured.
Vendor negligence: Many vendors still ship products with hardcoded defaults that are not required to be changed at first login.

Why They’re Dangerous

Default credentials are some of the lowest-hanging fruit for attackers. They may be:

Publicly documented in vendor manuals and widely available online.
Frequently reused across multiple systems for convenience.
Often forgotten after deployment, especially in legacy environments.

The danger isn’t the credential itself but the privileged access it unlocks. A single default login can open the door to remote code execution, lateral movement, or even full domain compromise.

The Risk Landscape

Web Applications & Development Tools

Tomcat: Admin web consoles still exposed with default logins can be used to deploy a malicious application, which often leads to remote command execution on the underlying server.
Jenkins: If left unsecured, attackers can execute arbitrary Groovy scripts, resulting in remote code execution on the Jenkins server.
Axis2: Similar to Tomcat, a legacy service that allows malicious application deployments when defaults are present.

Monitoring & Infrastructure Tools

Splunk: Can be abused by uploading malicious apps.
ManageEngine suite: These tools may allow for running malicious scripts that
Monitoring consoles often integrate directly with Active Directory so that a default credential can become an AD-level breach.

Legacy Enterprise Apps

WebLogic, WebSphere, and ColdFusion admin panels, among others, can be leveraged to deploy malicious code .
Large organizations often have one or two legacy apps that are still lingering, forgotten, and accessible.

Infrastructure Devices

Routers, firewalls, and appliances are especially dangerous when defaults remain:
- Service disruption by malicious reconfiguration.
- Pivoting deeper into the network.
- Credential theft from stored configuration files.
- Direct remote command execution.

Real-World Examples

Below are a few real-world examples from Vilkas' penetration test engagements. In each of these scenarios, our consultant would not have gained a foothold without default credentials in place for the targeted service.

Case 1: External service → Domain compromise

An internet-facing management tool was left with default credentials. Our consultant leveraged this to gain access to the internal network, move laterally, escalate privileges, and ultimately compromise the Active Directory domain. All of this originated from typing admin:admin in a login form.
Case 2: Network appliance → SSH foothold → Domain compromise

A network device exposed to the internet was still using its default password. We logged in via the SSH remote access service, found additional credentials in a configuration file, mapped the internal network, and eventually achieved domain compromise.
Case 3: AI security appliance demo account

During a particularly frustrating internal penetration where there was seemingly no way "in", our consultant found a “next-gen” security tool shipped with admin:admin default credentials for its web administration interface. Once accessed, the consultant found Active Directory credentials stored in clear text, which kicked off an attack chain that once again culminated in domain compromise.
Case 4: Active Directory (AD) management tool left in demo mode

A demo instance of an AD management console with default credentials for the web management portal was left and forgotten. This tool was running in the context of a privileged AD account, and we could leverage it to create a user, assign it to a privileged group, and eventually gain further access, resulting in domain compromise. This was another instance of an extremely well-hardened network where one minor oversight led to cascading results.

In every instance, our consultants' attack paths started with a single unchanged password.

Common Mistakes That Enable Defaults

No asset inventory: You can’t protect what you don’t know exists.
No credential rotation: Devices keep the same password for years.
No credential audits: Regular checks for weak or default logins are missing.
Misaligned priorities: IT pushes uptime, vendors want usability, security fights for control, and security loses.

Key Takeaways

Even the most hardened environments can fall apart due to basic oversights. Default credentials are the cybersecurity equivalent of leaving the keys under the doormat.

Vilkas has repeatedly proven the gravity of this issue. In our Top 10 Penetration Testing Findings of 2024 blog post, Default Credentials ranked #7 among the most frequent issues uncovered during real-world assessments. That means they’re not rare edge cases but an issue that plagues organizations, big and small, regardless of their overall security posture.

How to Eliminate the Risk

This problem is entirely solvable. Organizations can drastically reduce risk by:

Maintaining an accurate asset inventory so nothing slips through the cracks.
Requiring password changes during deployment for every system, device, and appliance.
Applying configuration management policies that cover test, demo, and proof-of-concept systems.
Auditing regularly for known defaults both within the internal and external network.
Training staff to recognize the risks and prioritize eliminating defaults.

Conclusion

Default credentials remain one of modern networks' most preventable yet impactful security risks. The danger isn’t the password itself but the privileged access it provides.

Fixing the basics means organizations can avoid being the next story that ends with, “we thought we did everything right..." (except for the one forgotten default account).

Eliminating default credentials is one of the fastest, cheapest, and most effective ways to raise the security bar. And it’s a step no organization can afford to skip.

Want a thorough review of your environment for default credential exposure?

Vilkas Cybersecurity helps organizations uncover and fix real-world exposures, not just theoretical ones.

Have a question about this article or a security challenge of your own? Fill out the form and we’ll get back to you shortly.

Loading form…

← Back to Blog

Share on X Share on LinkedIn